Arguing regulatory compliance of software requirements
作者:
Highlights:
•
摘要
A software system complies with a regulation if its operation is consistent with the regulation under all circumstances. The importance of regulatory compliance for software systems has been growing, as regulations are increasingly impacting both the functional and non-functional requirements of legacy and new systems. HIPAA and SOX are recent examples of laws with broad impact on software systems, as attested by the billions of dollars spent in the US alone on compliance. In this paper we propose a framework for establishing regulatory compliance for a given set of software requirements. The framework assumes as inputs models of the requirements (expressed in i*) and the regulations (expressed in Nòmos). In addition, we adopt and integrate with i* and Nòmos a modeling technique for capturing arguments and establishing their acceptability. Given these, the framework proposes a systematic process for revising the requirements, and arguing through a discussion among stakeholders that the revisions make the requirements compliant. A pilot industrial case study involving fragments of the Italian regulation on privacy for Electronic Health Records provides preliminary evidence of the framework's adequacy and indicates directions for further improvements.
论文关键词:Regulatory compliance,Requirement engineering,Argumentation,Empirical evaluation
论文评审过程:Accepted 25 September 2012, Available online 26 December 2012.
论文官网地址:https://doi.org/10.1016/j.datak.2012.12.004